-= Per source details. Do not edit below this line.=-
The package's preinstall hook ("node index.js") runs automatically on npm install and executes an exfiltration payload. index.js requires child_process, os, http, and https, collects the installer's hostname, platform, arch, home directory, user info (username/uid/gid/shell), the output of whoami/id, and cwd, then POSTs the JSON payload to a hardcoded Burp Collaborator subdomain at https://s70v1tcmg3npuykzzok5t0tdz45vtlha.oastify.com/detox56. The package name 'events-alias' mimics the ubiquitous Node core 'events' module namespace but ships only this install-time recon/exfil payload; an undeclared ~10KB binary blob named 'i' also ships in the tarball but is not referenced from the executed code. Installing this package leaks installer identity/host reconnaissance data to attacker-controlled infrastructure.
{
"malicious-packages-origins": [
{
"sha256": "164642716a755117674746c1c2534b0ac47d56bed2348e7a800c3d37a98074e9",
"id": "IN-MAL-2026-008171",
"source": "amazon-inspector",
"import_time": "2026-07-08T17:40:19.849331827Z",
"modified_time": "2026-07-08T17:31:00Z",
"versions": [
"15.0.1"
]
}
]
}{
"evidence_files": [
{
"path": "index.js",
"tlsh": "3b5141c515f65a251ba7b8494a4f9402b227e0033606de55bfcc8740af9537c9bf0bf6",
"sha256": "97807c86a507cbabc4bbb48a63d172bf5119a7cbf9b6e17284daf3146ca1cb78"
},
{
"path": "package.json",
"tlsh": "20d05e204d21552325c50256182a948762618e6f24047c08a39b182c81ce27798ff35d",
"sha256": "ac0e68353e0abc16a670e391f14219e95ccee234f78e3e1b157cc08973aec790"
},
{
"path": "i",
"tlsh": "d72288760912a800a723bdd54ee8ec5e25e8e47d621f683cf456efb62b8c14d5f1e123",
"sha256": "5a80c722939ba6f3373043432a13cefcf6b36a52124ed1e6d261dbecd428953a"
}
],
"package_integrity": [
{
"filename": "events-alias-15.0.1.tgz",
"hashes": {
"sha1": "e76b699e268e839e92f9b6f29ae91b72fa5ccfd9",
"sha512_sri": "sha512-f3QbnSOf+8yT0+Od5wvtYZMmZMmVcQgRG1CB/UJ5RBpgLC7fmq3yWVLZnv2uPMc5esUKRzlzqJ0FtyYse6rPgw=="
}
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/events-alias/MAL-2026-7011.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]